I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership. This has been very difficult, even though I beleive it should be easy.
The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
There are two other portals that I would like to restrict access to based on AD group membership. I have set these up to be selected by URL.
The biggest problem is, I have no way of knowing how to go about this. The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
I can only do an all or nothing scenario.
It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use. So how do I go about using them in this scenario? Turning off the aliases or URLs is not really an option right now.
Scenario 1 would work the best for me. Restrict access to profiles/groups based on AD group membership using LDAP.
Scenario 2 would be an ideal longer term solution.
Any thoughts, ideas or assitance would be greatly appreciated.
PLease checkout the DAP deployment guide https://supportforums.cisco.com/docs/DOC-1369.
So each VPN session will come in on a specific Connection Profile (aka Tunnel Group - TG ) , with each TG having a default group-policy, GP. The GP contains the authorization attributes to apply to the session. DAP is a specialized Group Policy, but currently cannot set all attributes that the legacy GP does. DAP allows aggregation of authorization attributes , which the GP doesn't.
So for your case:
1) Connection ProfileX , Group-Policy X, 1 or more DAP(s) that check for ldap attribute.memberOf=CarpetBaggers
Set the Action=Continue
Note: LDAP attributes are case sensitive, so make sure memberOf has capital O.
2) Set the DfltAccessPolicy DAP for Action=Terminate
3) Set you Connection Profile for LDAp authentication
4) on you console you can see the DAp processing by "debug dap trace".
This is exactly what i was looking for, and Nelson is correct. When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression. The guide (ther is a button to access this) is really helpful, with a couple of examples. This is what i used:
if ( (type(aaa.ldap.distinguishedName) == "string") and
(string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
from the debug dap you can see what Users relates to;
DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
My admin account fails to get me in to the same profile:
DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
i will get back to that post since there is something else that i would like to ask.
I have configured DAP policies and also user access lists(with the AD client installed).
But, what if you want the below scenario:
Apply policies between source AND destinations AD Groups.
Let the following 3 groups exist in the AD: sales, presales, accounting,
i want webvpn users to have the following policies:
sales<-> sales : allow
Keep in mind that i don't want to keep and maintain different client pools for each group.
I want to be dynamic.
it would be great if i could use user based ACLs with source and destination users or/and groups.